The U.S. Department of Health and Human Services, Office of Civil Rights (“OCR”), the agency tasked with enforcing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), recently announced that it will redouble its efforts to investigate smaller breaches of Protected Health Information (“PHI”) that affect fewer than five-hundred (500) individuals.
It has been widely known that OCR opens an investigation for every breach affecting more than 500 individuals; this announcement describes OCR’s new initiative to investigate smaller breaches as well. OCR stated that in determining when it will open an investigation, it will evaluate a number of factors, such as: (1) the size of the breach, (2) whether the PHI was stolen or improperly disposed of, (3) whether an entity reports multiple breaches, (4) whether numerous entities are reporting breaches of a particular type, and (5) whether the breach involved unauthorized access to an IT system. The announcement also notes that OCR may consider lack of breach reports for a region, suggesting that OCR is interested in investigating the potential of under reporting.
The announcement emphasized that OCR can determine both large scale trends among HIPAA regulated entities, and entity-specific compliance issues that must be addressed by investigating breaches. The announcement also serves as a warning to persons and/or entities subject to HIPAA to ensure that their breach reporting and other HIPAA compliance efforts are up-to-date and ready to withstand any potential scrutiny from OCR.